Il giorno 14 set 2006, alle ore 13:27, Andrea Mistrali ha scritto:
Hi to all!,
sorry for being a little bit OT, but maybe you could answer my
question :)
I have a customer that uses 192.168.0.0/24 on his LAN and is
protected by a firewall based on OpenBSD 3.6 with PF. He needs to
bring up an IPSEC tunnel to another entity with ISAKMPD and I am
the consultant that should make evetyrhing work.
This other entity already has a tunnel to another more LAN that
uses 192.168.0.0/24 and asks me to NAT in some way the private
addresses of my customer.
I tried to assing an IP address to enc0 interface (and it works),
then I put a "nat on enc0 from $LAN to $ENTITY -> enc0" and it
works, but I need to bring up two flows, one for 192.168.0.0/24 and
one for 192.168.13.0/24 (that is the address range I would like to
use for NAT), because if I bring up only the flow for 192.168.13/24
packets coming from 192.168.0/24 would not be matched and would not
pass through enc0.
This is, practitally, of no use except for experimental tests.
Does anyone have some good idea or had the same problem???
TIA
Andrea
I worked hard on it and found the solution. Since I have seen many
posts on Internet about this without a good response here you are the
procedure:
1) create a lo1 interface, giving it the address we will use for
NATting our Private LAN
ifconfig lo1 192.168.113.254
2) add a static route to the remote private lan by the way of lo1
address
route add 10/8 192.168.113.254
3) configure NAT in pf.conf for interface lo1:
nat on lo1 from $LAN to $REMOTE_LAN -> lo1
4) don't use generic keep state on enc0, but use it only for ipencap
pass quick on enc0 proto ipencap all keep state
pass quick on enc0
5) configure an IPSEC tunnel between lo1 address (or network) and
remote private LAN
I hope this helps
Andre
